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Management  of  Defense  Finance  and  Accounting  Service 

Mid-Tier  Systems 

Executive  Summary 


Introduction.  This  report  is  based  on  an  allegation  to  the  DoD  Hotline  that  Defense 
Finance  and  Accounting  Service  (DFAS)  did  not  adequately  manage  its  Mid-Tier 
computing  assets.  Mid-Tier  systems  are  client/server  systems  that  offer  more 
processing  flexibility  than  mainframe  systems  by  allowing  computer  applications  to 
operate  on  multiple  databases  at  multiple  locations  in  a  seamless  manner  transparent  to 
the  end  user. 

The  management  of  DFAS  Mid-tier  systems  is  governed  by  two  documents.  DFAS 
Regulation  8000. 1-R,  “Concept  of  Operations  for  Maintaining  DFAS  Mid-Tier 
Computing  Platforms”  September  14,  1994,  initiated  the  Mid-Tier  policy  and  the 
“Mid-Tier  Policy  and  Procedures”  September  4,  1996,  was  meant  to  ensure  close 
cooperation  between  the  Directorate  for  Technical  Infrastructure  (DTI),  the  Financial 
Systems  Activities  (FSAs),  and  other  organizations  in  managing  and  maintaining  the 
UNIX  Mid-Tier  computers  and  the  Oracle  relational  database  environments. 

The  Mid-Tier  policies  affect  all  DFAS  Centers  as  well  as  the  Infrastructure  Services 
Organization  (ISO)  in  Indianapolis,  Indiana.  The  FY  1998  cost  to  operate  and  maintain 
the  Mid-Tier  systems  was  $16.7  million. 

DFAS  underwent  a  reorganization  in  March  1998.  Prior  to  the  reorganization,  the 
DFAS  Financial  System  Organization  (FSO),  headquartered  at  Indianapolis,  Indiana, 
was  responsible  for  the  management  and  maintenance  of  DFAS  Mid-Tier  systems.  The 
FSO  reported  directly  to  the  DFAS  Deputy  Director,  Information  Management  (who 
also  served  as  the  Director,  FSO).  The  FSO's  Mid-Tier  Management  Organization 
also  located  in  Indianapolis  was  responsible  for  Mid-Tier  systems  policies  and 
procedures.  The  seven  FSAs  were  directly  subordinate  and  reported  to  the  Mid-Tier 
Management  Organization.  In  the  reorganization,  the  FSO  was  renamed  the  ISO  and 
retained  responsibility  for  the  management  and  maintenance  of  Mid-Tier  systems.  The 
ISO  accomplishes  this  through  its  DTI,  which  was  formerly  the  Mid-Tier  Management 
Organization. 

Audit  Objectives.  The  overall  audit  objective  was  to  determine  whether  the  complaint 
to  the  DoD  Hotline  had  merit.  Specifically,  we  assessed  the  roles  and  responsibilities 
of  the  ISO  and  FSAs  and  evaluated  their  effectiveness  in  supporting  automated  systems. 

Audit  Results.  The  lack  of  adequate  communication  between  the  DTI  and  the  FSAs 
precluded  full  consideration  of  the  FSAs  input  into  the  DFAS  Mid-Tier  systems  policy 
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decisions.  Additionally,  appropriate  performance  measures  and  monitoring  tools  were 
lacking  after  the  1996  Mid-Tier  systems  restrucmring.  As  a  result,  DFAS  did  not  fully 
consider  FSAs  input  into  DFAS  management  and  policy  implementation  for  Mid-Tier 
systems.  In  addition,  neither  the  DTI  nor  the  FSAs  could  ensure  the  efficient 
development  of  Mid-Tier  systems.  See  Part  I  of  this  report  for  further  details. 

Summary  of  Recommendations.  We  recommend  that  DFAS  establish  a  specific  date 
for  resuming  quarterly  reviews  and  establish  documentation  rules  for  Mid-Tier  systems 
management.  We  also  recommend  that  DFAS  establish  a  quarterly  review  agenda  to 
discuss  staffing  concerns  and  alternatives,  system  access,  system  security,  long-range 
goals,  policy  and  procedure  change  standards,  and  policy  and  procedure  documentation 
standards.  Also,  performance  measurement  and  monitoring  tools  must  be  established 
to  track  the  efficiency  of  Mid-Tier  systems  projects.  Additional  management  controls 
are  needed  to  ensure  success  of  the  program. 

Management  Comments.  The  DFAS  concurred  with  the  recommendations  and  has 
taken  action  to  implement  the  recommendations.  The  DFAS  reactivated  the  quarterly 
Mid-Tier  working  group  and  scheduled  the  first  meeting  for  December  1998.  The 
DFAS  plans  to  include  issues  on  staffing,  system  access  and  security,  and  policy  and 
procedures  during  the  quarterly  reviews.  The  DFAS  has  established  a  milestone  of 
September  1999  for  implementing  performance  measures  for  Mid-Tier  systems 
projects.  The  complete  text  of  the  management  comments  is  in  the  Management 
Comments  section  of  the  report. 
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Introduction 


This  report  addresses  DoD  Hotline  allegations  concerning  the  management  of 
Defense  Finance  and  Accounting  Service  (DFAS)  Mid-Tier  development 
systems. 


Audit  Background 

Financial  System  Organization  Reorganization.  DFAS  underwent 
reorganization  in  March  1998.  Prior  to  the  reorganization,  the  DFAS  Financial 
System  Organization  (FSO),  headquartered  at  Indianapolis,  Indiana,  was 
responsible  for  the  management  and  maintenance  of  DFAS  Mid-Tier  systems. 
The  FSO  reported  directly  to  the  DFAS  Deputy  Director,  Information 
Management  (who  also  served  as  the  Director,  FSO).  The  FSO's  Mid-Tier 
Management  Organization,  also  located  in  Indianapolis,  was  responsible  for 
Mid-Tier  systems  policies  and  procedures.  There  were  seven  Financial  Systems 
Activities  (FSAs)  directly  subordinate  and  reporting  to  the  Mid-Tier 
Management  Organization.  Of  these  seven,  all  except  for  Patuxent  River, 
Maryland,  were  responsible  for  developing  DFAS  Mid-Tier  applications. 

In  the  reorganization,  DFAS  re-titled  the  FSO  as  the  Infrastructure  Services 
Organization  (ISO),  and  placed  it  under  the  direct  control  of  the  DFAS  Director 
for  Information  and  Technology  headquartered  at  Arlington,  Virginia.  In 
addition,  DFAS  placed  the  Pensacola,  Florida,  and  Patuxent  River,  Maryland, 
FSAs  under  the  direct  control  of  the  Director  for  Information  and  Technology. 
The  Cleveland,  Ohio;  Columbus,  Ohio;  Denver,  Colorado;  Indianapolis, 
Indiana;  and  Kansas  City,  Missouri,  FSAs  were  placed  under  the  direct  control 
of  the  individual  DFAS  Center  Directors  at  those  respective  geographic 
locations.  In  the  reorganization,  the  ISO  retained  responsibility  for  the 
management  and  maintenance  of  Mid-Tier  systems.  The  ISO  accomplishes  this 
through  its  Directorate  for  Technical  Infrastructure  (DTI).  The  DTI  formerly 
carried  out  the  same  functions  as  the  FSO  Mid-Tier  Management  Organization. 
The  table  on  the  following  page  illustrates  these  changes. 

Mid-Tier  Defined.  DFAS  refers  to  its  client/server  systems  as  its  Mid-Tier 
systems.  Mid-Tier  or  client/server  systems  offer  more  processing  flexibility 
than  mainframe  systems  by  allowing  computer  applications  to  operate  on 
multiple  databases  at  multiple  locations  in  a  seamless  manner  transparent  to  the 
end  user.  DFAS  Mid-Tier  development  systems  are  UNIX  based  and  are 
comprised  mainly  of  Hewlett-Packard  and  Sun  Microsystems  minicomputers. 
The  FY  1998  cost  to  operate  the  Mid-Tier  systems  was  $16.7  million. 

Mid-Tier  Responsibility.  Prior  to  September  1996,  the  FSAs  were  responsible 
for  allocating  access  to  the  Mid-Tier  systems.  Subsequent  to  the  1996 
restructuring,  the  DTI  became  responsible  for  allocating  Mid-Tier  access.  The 
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granter  of  access  rights  determines  the  logical  control  of  the  Mid-Tier  systems. 
Logical  control  is  the  control  exercised  through  programming  regardless  of  the 
physical  location  of  the  system. 


Mid-Tier  Management  Structure 

Before  Reorganization 

After  Reorganization 

Overall  Mid-Tier 
Responsibility 

FSO 

ISO 

Mid-Tier  Policies 

Mid-Tier  Management 

Directorate,  Technical 

and  Procedures 

Office 

Infrastructure  (DTI) 

Mid-Tier 

Development 

FSAs 

FSAs 

FSAs  Report  To 

Mid-Tier  Management 

Directly  to  the 

Office 

Geographic  DFAS  Center 
Director  and  indirectly  to 

the  DTI 

ISO  Mission.  ISO’s  primary  missions  are  software  development  and 
maintenance  for  finance  and  accounting  systems  and  technical  support  for  the 
DFAS  infrastructure.  The  ISO  supports  more  than  100  systems  and  is  actively 
managing  the  DFAS  Enterprise  Local  Area  Network  (the  network  is  the  DFAS 
wide-area  network).  Before  the  reorganization,  the  ISO  had  1,400  civilian  and 
100  military  personnel,  5  Directorates,  and  7  FSAs.  After  the  reorganization, 
FSAs  personnel  reported  to  a  DFAS  Center  Director;  however,  their  work  still 
supports  the  DFAS  systems  and  is  subject  to  ISO  policy  decisions. 

Hotline  Allegations.  The  OIG,  DoD,  Hotline  received  allegations  regarding 
the  1996  restructuring.  Specifically,  the  allegations  stated  that  the  DFAS  ISO 
did  not  effectively  use  the  resources  of  its  FSAs  personnel  in  managing  Mid- 
Tier  development  systems  prior  to  the  1996  restructuring.  Specific  allegations 
were  made  regarding  policy,  staffing,  and  accomplishing  work  efficiently  and 
effectively. 


Audit  Objectives 

The  overall  audit  objective  was  to  determine  whether  the  Hotline  allegations  had 
merit.  Specifically,  we  assessed  the  roles  and  responsibilities  of  the  DTI  and 
FSAs  personnel  and  evaluated  their  effectiveness  in  supporting  Mid-Tier 
development  systems.  See  Appendix  A  for  a  discussion  of  the  audit  scope  and 
methodology  and  prior  coverage. 
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Communication  in  Mid-Tier  Systems 
Management 

The  lack  of  adequate  communication  between  the  DTI  and  the  FS  As 
precluded  full  consideration  of  the  FSAs  input  into  the  DFAS  Mid-Tier 
systems  policy  decisions.  Additionally,  appropriate  performance 
measures  and  monitoring  tools  were  lacking  after  the  1996  Mid-Tier 
systems  restructuring.  This  occurred  for  the  following  reasons. 

•  The  DTI  cancelled  quarterly  reviews  held  between  the  DTI 
and  FSAs. 

•  The  DTI  had  not  adequately  documented  Mid-Tier  policies  and 
procedures  in  regard  to  access,  security,  and  policy  changes. 

•  The  DTI  experienced  staff  turnover  problems  in  its 
management  of  the  Mid-Tier  development  systems. 

•  The  DTI  and  FSAs  had  not  acquired  appropriate  performance 
measurement  and  monitoring  tools. 

As  a  result,  DFAS  did  not  fully  consider  input  by  the  FSAs  into  DFAS’ 
management  and  policy  implementation  for  Mid-Tier  systems.  In 
addition,  neither  the  DTI  nor  the  FSAs  could  ensure  that  Mid-Tier 
systems  were  being  developed  on  the  most  efficient  basis. 


Management  Communications  and  Controls 

The  DTI  invoked  the  1996  restructuring  changes  to  accomplish  the  immediate 
goals  of  the  DFAS  Deputy  Director,  Information  Management,  to  standardize 
UNIX  and  Oracle  software  used  on  the  Mid-Tier  systems,  thus  enhancing 
performance  and  security.  However,  communications  between  the  DTI  and  the 
FSAs,  to  convey  policy  revisions  and  to  manage  DFAS  Mid-Tier  development 
systems,  were  not  adequate  after  the  reorganization.  The  lack  of  adequate 
communication  precluded  full  consideration  of  the  FSAs  input  into  the  DFAS 
Mid-Tier  systems  policy  decisions.  Likewise,  appropriate  performance 
measures  and  monitoring  tools  were  lacking.  Therefore,  neither  the  DTI  nor 
the  FSAs  could  ensure  &at  they  were  developing  Mid-Tier  systems  on  the  most 
efficient  basis. 


DFAS  Mid-Tier  Guidance 


Mid-Tier  Guidance.  Since  September  1994,  DFAS  issued  guidance  on  the 
management  of  Mid-Tier  systems  to  foster  the  efficient  operation  and 


3 


maintenance  of  the  systems.  In  September  1994,  the  DFAS  Deputy  Director  for 
Mormation  Management  issued  the  “Concept  of  Operations  for  Maintaining 
Mid-Tier  Systems.”  In  September  1996,  the  same  person,  also  functioning  in 
the  role  of  the  DFAS,  Director,  FSO,  issued  the  “Mid-Tier  Policy  and 
Procedures”  document.  The  “Mid-Tier  Polices  and  Procedures”  document 
further  defined  roles  and  responsibilities.  Most  significantly,  the  Mid-Tier 
policies  and  procedures  removed  the  FSAs  authority  to  grant  accesses  to  Mid- 
Tiers  and  transferred  the  authority  to  the  DTI.  See  Appendix  B  for  a  full 
description  of  the  guidance. 


Review  of  the  Hotline  Allegations 

The  Hotline  allegations  focused  on  the  adequacy  of  the  DFAS  Mid-Tier 
management  and  control  structure,  the  use  of  FSA  resources  by  the  DFAS  ISO, 
and  the  impact  of  the  1996  restructuring.  Specifically,  the  allegations  stated 
that  the  DTI: 

•  centralization  policy  was  not  efficient, 

•  staffing  levels  were  inadequate  to  effectively  execute  the 
centralization  policy, 

•  work  was  unreliable  and  had  to  be  redone, 

•  centralization  policy  had  caused  some  FSAs  projects  to  fail,  and 

•  costs  were  not  adequately  tracked  to  FSAs  projects. 

Validity  of  Allegations.  We  determined  that  the  issues  cited  in  the  Hotline 
allegations  were  reflective  of  concerns  also  expressed  by  the  FSAs  during  the 
audit,  and  that  some  issues  had  merit.  Based  on  this  evaluation  of  the  validity 
of  the  Hotline  allegations,  we  issued  preliminary  findings  in  a  memorandum  to 
the  Director,  ISO,  and  to  the  FSAs  Directors  on  April  17,  1998.  The  Director, 
ISO,  and  the  FSAs  Directors  concurred  with  the  findings.  The  following 
provides  details  of  each  allegation  and  audit  results. 

Efficiency  of  Centralized  Control.  The  Hotline  complaint  alleged  that 
the  DTI  centralization  policy  was  not  efficient.  The  allegation  was  substantiated 
because  of  a  lack  of  effective  communication  and  the  failure  to  build  trust 
relationships  between  the  DTI  and  the  FSAs.  In  the  1996  restructuring,  DFAS 
intended  to  improve  system  performance  and  security  by  centralizing  control  of 
Mid-Tier  systems  under  the  DTI.  The  centralization  effort  was  in  accordance 
with  the  1994  Concept  of  Operations,  which  states  that  the  Mid-Tier  systems 
must  be  standardized  to  allow  employees  to  work  on  any  Mid-Tier  system 
without  re-training  or  any  noticeable  adjustment.  In  addition,  the 
standardization  allowed  applications  to  operate  on  multiple  databases  at  multiple 
locations  in  a  seamless  manner  transparent  to  the  end  user.  In  such  an 
environment,  however,  system  security  becomes  a  more  significant  issue 
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because  user  data  and  data  processing  are  no  longer  isolated  to  a  specific 
computer  or  terminal  with  fixed  connections  between  them.  Rather,  multiple 
users  could  have  inappropriate  access  to  information. 

FSAs  personnel  at  the  sites  contacted  indicated  that  central  control  of  software 
development,  production,  and  maintenance  was  necessary  to  assure  that  a  set  of 
standard  business  practices  were  established  and  followed  within  DFAS.  They 
further  agreed  that  limiting  powerful  system  administrator  “root”  authority  to 
select  personnel  enhances  security.'  However,  FSAs  personnel  indicated  that 
the  implementation  of  the  policy  had  not  been  totally  effective  and  caused  undue 
access  restrictions  to  FSAs  application  developers  and  software  testers  and 
confusion  over  guidance  provided.  For  example: 

•  FSA  Cleveland  personnel  stated  that  the  current  policy 
precludes  delegation  or  decentralization  of  detailed  tasks,  however  the  DTI  staff 
was  so  busy  trying  to  keep  up  with  detailed  tasks  that  DTI  development  and 
documentation  of  central  operating  standards  suffered.  Additionally,  an  FSA 
Columbus  employee  stated  that  now  the  DTI  must  create  computer  programs 
(“scripts”)  to  test  or  install  an  application  prior  to  releasing  the  programs  to  the 
Defense  Information  Systems  Agency,  which  administers  DFAS  production 
systems.  The  scripts  are  needed  to  size  the  databases  and  tablespaces  correctly 
so  that  the  application  runs  efficiently.  However,  the  assigned  DTI  personnel 
had  not  attended  planning  meetings  and  were  unfamiliar  with  the  application, 
thus  requiring  the  DTI  personnel  to  test  and  install  software  applications  they 
may  not  understand. 

•  FSA  Columbus  personnel  stated  that  the  DTI  had  not  provided 
sufficient  written  documentation  to  support  the  level  of  access  restrictions  nor 
adequately  documented  DTI  and  FSAs  personnel  job  descriptions  and  business 
procedures.  Those  FSA  personnel  stated  that  DTI  personnel  tended  to  cite  un¬ 
documented  rules  and  procedures  and  provided  contradictory  guidance. 

•  FSA  Columbus  persoimel  stated  that,  while  the  1996  Mid-Tier 
Policies  and  Procedures  document  gives  DTI  its  authority;  the  DTI  had  not 
issued  a  policy  memorandum  stating  why  certain  access  rights  would  be  given 
or  taken  away.  FSAs  personnel  stated  that  they  were  notified  either  verbally  or 
found  that  the  access  had  changed  when  attempting  to  complete  work.  While 
FSAs  personnel  acknowledge  they  would  like  to  regain  full  access  to 
development  systems,  they  believe  that  the  DTI  positions  would  be  better 
accepted  if  major  decisions  were  made  with  FSAs  input  and  those  decisions 
were  documented. 

The  ISO  and  DTI  did  not  respond  directly  to  specific  allegations;  however,  they 
were  aware  of  the  FSAs  concerns  and  agreed  Aat  a  lack  of  effective 
communications  caused  many  of  the  problems  and  have  stated  that  steps  will  be 
taken  to  correct  problems  and  misunderstandings.  FSAs  system  administrators 


'“Root”  access  or  authority  within  UNIX  based  systems,  and  “Oracle  7”  within  Oracle  gives  the  user 
absolute  control  over  that  particular  portion  of  the  Mid-Tier  system. 
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believed  that  some  levels  of  authority  could  be  delegated  to  them  to  accomplish 
their  assigned  work.  Such  a  delegation  would  be  consistent  with  the  1996  Mid- 
Tier  Policies  and  Procedures  that  allows  the  DTI  to  delegate  responsibilities  to 
PSAs  where  a  Mid-Tier  development  system  is  present.  The  DTI,  however, 
indicated  that  it  chose  not  to  delegate  because  sufficient  trust  relationships 
between  the  DTI  and  FSAs  had  not  yet  been  established.  However,  due  to 
budget  constraints  the  DTI  suspended  opportunities  to  develop  the  trust,  such  as 
quarterly  meetings,  in  1996. 

Adequacy  of  DTI  Staffing.  The  Hotline  complaint  alleged  that  the  DTI 
staffing  levels  were  inadequate  to  effectively  execute  the  centralization  policy. 
We  substantiated  the  allegation.  Since  the  1996  restructuring  requires  that  the 
DTI  control  access  to  the  Mid-Tier  systems,  it  is  essential  that  the  DTI 
accomplish  its  functions  on  an  efficient  basis.  However,  both  ISO  and  FSAs 
personnel  stated  that  the  DTI  had  experienced  staffing  problems.  Specifically, 
turnover  and  experience  were  critical  problems.  For  example; 

•  FSA  Pensacola  personnel  observed  that  missed  systems 
milestones  and  unsatisfied  requirements  continue  to  occur  because  resources  are 
not  available  to  satisfy  all  organizational  objectives.  Additionally,  FSA 
Pensacola  personnel  stated  that  this  lack  of  resources  had  resulted  in  adverse 
schedule  impacts  and  lost  developer  productivity. 

•  FSA  Columbus  and  Indianapolis  personnel  stated  that  they  had 
waited  from  hours  to  weeks  for  assistance  from  DTI  personnel.  Columbus  and 
Indianapolis  personnel  believe  that  with  increased  access  and  permissions  they 
could  have  accomplished  assigned  tasks  much  sooner. 

The  FSAs  stated  that  the  process  had  improved  somewhat  since  the 
reorganization,  but  still  needed  work.  FSA  Pensacola  personnel  suggest  that 
DFAS  Headquarters  personnel  should  address  resource  constraints  and  develop 
a  plan  to  correct  this  staffing  situation.  The  Pensacola  personnel  also  suggested 
that  the  Defense  Iirformation  Systems  Agency  personnel  and  system  resources 
should  be  considered  as  an  alternative.  The  Defense  Information  Systems 
Agency  provides  this  level  of  support  for  DFAS  Mid-Tier  production  systems. 

ISO  personnel  stated  that  the  DTI  resource  restrictions  would  continue  to  be  a 
problem  because  of  funding  constraints  and  turnover  due  to  DTI  personnel 
leaving  for  higher  paying  private  sector  jobs  after  gaining  practical  training  and 
experience. 

Reliability  of  DTI  Work.  The  Hotline  complaint  alleged  that  DTI  work 
was  unreliable  and  had  to  be  redone.  We  did  not  find  direct  evidence  to  support 
the  allegation.  However,  we  did  find  that  the  level  of  work  required  by  the  DTI 
and  the  FSAs  was  not  adequately  defined  and  could  lead  to  inefficient  work 
processes.  For  example,  FSAs  personnel  were  confused  about  whom  would  be 
responsible  for  script  development  and  the  proper  allocation  of  databases  so  that 
the  applications  could  be  tested  and  installed  efficiently.  Before  the  1996 
restructuring  the  FSAs  were  responsible  for  this;  however,  now  before  an 
application  can  be  fielded  DTI  personnel  must  test  it  on  the  DTI  test  system. 


6 


The  FSAs  stated  that  this  requires  the  DTI  personnel  to  test  and  install 
applications  they  may  not  completely  understand.  FSA  Cleveland  personnel 
observed  that  simple  tasks  that  could  have  been  performed  by  FSAs  personnel 
were  being  performed  by  an  undermanned  and  shifting  contractor  work  force. 
FSA  Cleveland  personnel  suggest  that  all  viable  alternatives  to  the  DTI  staffing 
concerns  be  evaluated  to  include  skilled  FSAs  personnel. 

The  Director,  ISO  did  not  directly  respond  to  this  specific  allegation  but  stated 
that  communication  problems  existed  and  would  be  addressed  with  FSAs 
personnel  through  reestablishment  of  the  quarterly  reviews. 

Success  Rate  of  FSAs  Projects  after  the  1996  Restructuring.  The 
Hotline  complaint  alleged  that  some  FSAs  projects  failed  because  of  the  DTI 
centralization  policy.  We  found  that  FSAs  projects  had  experienced  delays  and 
missed  some  milestones  because  of  the  centralization  policy;  however,  none  had 
failed.  Delays  do  require  that  additional  unplanned  resources  must  be  expended 
to  complete  projects,  therefore,  the  delays  add  to  project  costs.  We  could  not 
validate  the  success  rate  of  the  FSAs  projects  because  the  DTI  and  the  FSAs  had 
not  established  performance  measurements  that  would  quantify  the  effects  of  the 
policy  changes  on  FSAs  projects.  Neither  could  we  determine  on  a  DFAS-wide 
basis  whether  the  centralization  policy  provided  benefits. 

DTI  Project  Cost  Tracking.  The  Hotline  complaint  alleged  that  the 
DTI  costs  were  not  adequately  tracked.  We  could  not  substantiate  the  allegation 
because  FSAs  personnel  could  not  cite  any  instances  where  DTI  costs  were  not 
tracked  adequately.  We  spoke  with  the  complainant(s)  and  ISO  budget 
personnel  about  the  allegations  and  determined  that  the  complaint  was  that  the 
DTI  costs  did  not  show  up  as  direct  project  costs.  The  complainant(s)  believe 
that  if  these  costs  were  added  to  the  project  costs  it  could  show  that  the 
centralization  policy  was  not  cost  effective.  While  the  application  of  the  DTI 
indirect  costs  as  overhead  was  appropriate,  DTI  still  needs  to  establish 
performance  metrics  to  internally  review  and  then  determine  whether  the 
centralization  policy  is  efficient  on  a  DFAS-wide  basis. 


Summary 

As  a  result  of  the  lack  of  good  communication,  the  DTI  and  the  FSAs  could  not 
ensure  development  of  systems  on  the  most  efficient  basis.  Information 
technology  is  critical  to  DFAS  operations.  Preliminary  comments  received 
from  the  ISO  and  the  FSAs  on  the  results  of  this  audit  were  responsive  and  a 
logical  first  step  toward  accomplishing  that  goal.  Other  necessary  steps  are 
establishing  a  specific  date  for  resuming  the  quarterly  reviews  to  discuss  and 
establish  Mid-Tier  systems  documentation  rules.  For  the  quarterly  reviews  to 
be  effective  the  ISO,  DTI,  and  the  FSAs  must  prepare  agendas  covering  the 
significant  concerns  of  all  parties  such  as  staffing,  system  access  and  security. 
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and  policies  and  procedures.  Finally,  the  parties  must  be  able  to  track  and 
monitor  the  performance  of  Mid-Tier  systems  decisions;  therefore,  performance 
measurement  tools  are  necessary. 


Recommendations  and  Management  Comments 

We  recommend  that  the  Director,  Defense  Finance  and  Accounting  Service: 

1.  Require  the  Infrastructure  Services  Organization  and  the 
Financial  Services  Activities  to  establish  a  specific  date  for  resuming  the 
quarterly  reviews  to  establish  documentation  rules  for  Mid-Tier  systems. 

Management  Comments.  The  Defense  Finance  and  Accoimting  Service 
concurred  and  reactivated  the  quarterly  Mid-Tier  working  group  in  September 
1998  and  scheduled  the  first  meeting  for  December  1998. 

2.  Require  the  Infrastructure  Services  Organization  and  the 
Financial  Services  Activities  to  develop  an  agenda  for  the  quarterly  review 
to  discuss  staffing,  system  access  and  security,  and  policy  and  procedures. 

Management  Comments.  The  Defense  Finance  and  Accounting  Service 
concurred  and  will  include  in  their  agenda  for  the  quarterly  meetings, 
discussions  on  staffing,  system  access  and  security,  and  policy  and  procedures. 

3.  Require  the  Infrastructure  Services  Organization  and  the 
Financial  Services  Activities  to  develop  and  implement  a  plan  for  Mid-Tier 
system  performance  measurement  and  monitoring  tools  to  track  the 
efficiency  of  system  projects. 

Management  Comments.  The  Defense  Finance  and  Accounting  Service 
concurred  and  is  implementing  performance  measures  to  track  the  performance 
of  implementing  mid-tier  policies  and  procedures  and  to  accurately  track  project 
cost.  The  measures  will  be  used  to  make  the  appropriate  decisions.  The 
projected  milestone  for  completion  is  September  1999. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 

Work  Performed.  The  objective  of  this  audit  was  to  evaluate  the  roles  and 
responsibilities  within  DFAS  ISO  structure  to  support  automated  information 
systems.  The  primary  missions  of  the  ISO  are  software  development  and 
maintenance  for  finance  and  accounting  systems  and  technical  support  for  the 
DFAS  infrastructure.  The  ISO  supports  more  than  100  finance  and  accounting 
related  systems  and  is  actively  managing  the  DFAS  Enterprise  Local  Area 
Network  (the  Network  is  the  DFAS  wide-area  network).  Before  the 
reorganization,  the  ISO  had  1,400  civilian  and  100  military  personnel,  5 
Directorates,  and  7  FSAs.  Specifically,  we  evaluated  whether  the  ISO's  DTI 
and  FSAs  were  supporting  the  systems  in  an  efficient  and  effective  manner. 

The  scope  of  the  audit  was  limited  in  that  we  did  not  review  the  management 
control  program. 

The  methodology  of  the  review  included  analyses  of  DTI  documentation  and 
interviews  with  DFAS  personnel.  Specifically  we: 

•  Reviewed  mission  and  functions  statements, 

•  Evaluated  DTI  policies  relating  to  Mid-Tier  management, 

•  Interviewed  ISO,  DTI  and  FSAs  personnel,  and 

•  Coordinated  the  results  of  the  review  with  ISO  management  for 
appropriate  corrective  actions. 

DoD-Wide  Corporate  Level  Government  Performance  and  Results  Act 
Goals.  In  response  to  the  Government  Performance  and  Results  Act,  the  DoD 
has  established  6  coiporate  level  performance  objectives  and  14  goals  for 
meeting  these  objectives.  This  report  pertains  to  the  achievement  of  the 
following  objective  and  goal. 

Objective:  Fundamentally  reengineer  DoD  and  achieve  a  2F‘  century 
infrastructure.  Goal:  Reduce  costs  while  maintaining  required  military 
capabilities  across  all  DoD  mission  areas.  (DoD-6) 

DoD-Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  the  following  functional  area  objective  and  goal. 

Information  Technology  Management  Functional  Area.  Objective: 
Provide  services  that  satisfy  customer  information  needs.  Goal: 
Improving  information  technology  management  tools.  (ITM-3.1) 


9 


General  Accounting  Office  High  Area.  The  General  Accounting  Office 
identified  several  high  risk  areas  in  the  Department  of  Defense.  This  report 
provides  coverage  of  the  Information  Management  and  Technology  high  risk 
area. 

Use  of  Computer-Processed  Data.  We  did  not  use  computer-processed  data  to 
perform  this  audit. 

Use  of  Technical  Assistance.  We  did  not  require  technical  assistance. 

Audit  Type,  Date,  and  Standards.  We  performed  this  economy  and  efficiency 
audit  from  February  1998  through  August  1998  in  accordance  with  auditing 
standards  issued  by  the  Comptroller  General  of  the  United  States,  as 
implemented  by  the  Inspector  General,  DoD. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  the  DoD.  Further  details  are  available  on  request. 


Summary  of  Prior  Coverage 


General  Accounting  Office  Report  GAO/AIMD-97-41  (OSD  Case  1346) 
“Defense  Financial  Management  -  Immature  Software  Development  Processes 
at  Indianapolis  Increase  Risk,”  June  1997. 

Inspector  General,  DoD  Report  No.  95-270  “Corrective  Actions  on  System  and 
Software  Security  Deficiencies,”  June  30,  1995. 

Inspector  General,  DoD  Report  No.  95-263,  “Controls  Over  Operating  Systems 
and  Security  Software  and  Other  General  Controls  for  Computer  Systems 
supporting  the  Defense  Finance  and  Accounting  Service,”  June  29,  1995. 
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Appendix  B.  DFAS  Mid-Tier  Guidance 


Since  September  1994  DFAS  has  issued  various  guidance  on  the  management  of 
Mid-Tier  computing  platforms.  The  DFAS  Deputy  Director  for  Information 
Management  issued  tiie  “Concept  of  Operations  for  Maintaining  Mid-Tier 
Computing  Platforms,”  September  14,  1994.  To  provide  further  clarification 
the  DFAS,  Director,  Financial  System  Organization,  issued  the  "Mid-Tier 
Policy  and  Procedures"  September  4,  1996.  During  this  time  the  Deputy 
Director  for  Information  Management  and  the  Director,  Financial  Systems 
Organization,  were  the  same  person. 

Mid-Tier  Computing  Platforms.  Mid-Tier  Computing  Platforms  is  the  name 
of  DFAS  client/server  computers.  Client/server  computers  offer  more 
processing  flexibility  than  mainframe  computers.  Specifically,  the  client  server 
architecture  provides  the  necessary  environment  for  applications  to  operate  on 
multiple  databases  at  multiple  locations  in  a  seamless  manner  transparent  to  the 
end  user.  The  DFAS  Mid-Tier  development  computers  are  UNIX-based  and 
are  comprised  mainly  of  Hewlett-Packard  and  Sun  Microsystems 
minicomputers.  The  development  computers  are  located  at  FSAs  in  Denver, 
Indianapolis,  Kansas  City,  Columbus,  Pensacola,  and  Cleveland. 

Concept  of  Operations  for  Maintaining  Mid-Tier  Computing  Platforms. 

The  1994  Concept  of  Operations  describes  the  premise  and  goals,  the  team 
approach,  written  policies  and  procedures,  Mid-Tier  access,  systems  security, 
and  systems  access: 

•  Premise  and  Goals.  The  basic  premise  is  for  the  DTI  to  have  the 
lead  responsibility  (technical,  management,  and  administrative)  for  UNIX  server 
platforms.  Limiting  the  need  for  expertise  in  UNIX  software  installation, 
configuration,  and  related  system  management  issues  to  the  DTI  will  reduce 
costs.  The  system  environment  must  be  sufficiently  standardized  to  allow 
employees  to  work  on  any  of  the  Mid-Tier  platforms  without  retraining  or  any 
noticeable  period  of  adjustment.  Standardization  should  make  it  possible  to 
move  development  efforts  from  one  platform  to  the  another  (interoperability) 
without  any  significant  impact  (assuming  capacity  is  available).  However, 
interoperability  goes  beyond  allowing  users  to  access  resources  in  a  seamless 
uniform  manner.  Interoperability  provides  the  necessary  environment  that 
allows  applications  to  operate  on  multiple  databases  at  multiple  locations  in  a 
seamless  manner  transparent  to  the  end  user.  This  is  a  requirement  for  a  fully 
enabled  client/server  development  and  implementation  process.  Enforcement  of 
these  DTI  standards  will  be  an  integral  part  of  these  high-level  goals. 

•  Team  Approach.  The  team  approach  will  be  essential  to  the 
successful  management  of  the  Mid-Tier  platforms.  Specifically,  the  role  the 
DTI  takes  for  itself  on  this  team  will  be  important.  The  DTI  will  attempt  to  be 
a  facilitator  more  than  the  expert  with  regards  to  both  technical  information  and 
system  standards.  There  is  no  way  that  any  one  individual  or  organization  can 
expect  to  be  expert  in  all  areas  of  the  new  development  technologies.  However, 
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in  its  role,  the  DTI  will  monitor  the  technologies  used,  problems  encountered, 
and  successes  achieved  in  FSAs  development  projects.  Hence,  when  an  FSAs 
encounters  a  problem,  the  DTI  will  be  able  to  identify  other  FSAs  who  have  run 
into  similar  problems  and  offer  proven  solutions.  With  regards  to  standards, 
the  approach  taken  will  be  that  there  is  a  need  for  uniformity.  Therefore,  the 
DTI  will  solicit  the  FSAs  for  their  ideas  on  the  best  means  to  achieve 
standardization.  By  having  team  involvement  in  determining  details, 
standardization  solutions  will  be  more  palatable  when  implemented. 

•  Written  Policies  and  Standards.  The  DTI  will  develop  written 
policies  and  standards.  Also,  the  DTI,  with  ISO  headquarters  approval,  will 
distribute  and  implement  the  policies  and  standards. 

•  Mid-Tier  Access.  The  FSAs  will  control  access  to  their  local  Mid- 
Tier  platforms.  However,  as  requested  by  ISO  headquarters,  it  will  be 
necessary  to  provide  access  to  the  DTI  and  other  organizations. 

•  System  Security.  Security  becomes  an  essential  issue  with  the 
interoperability  and  openness  necessary  for  the  new  development  technologies. 
User  data  and  processing  are  no  longer  isolated  to  a  specific  computer,  host, 
terminal  or  personal  computer  with  fixed  connections  between  them.  Instead, 
user  data  and  processing  will  be  spread  across  a  wide  spectrum  of  computer 
hardware  and  software  with  a  standard  but  open  set  of  rules  interconnecting 
them.  A  consistent,  organized  approach  to  security  will  be  necessary  to  allow 
openness  for  the  applications  to  operate  effectively  and  to  protect  and  ensure  the 
integrity  of  work  being  done. 

•  System  Performance.  In  the  increasingly  complex  systems 
environments  management  of  performance  and  response  times  will  be  more 
complex  and  yet  more  critical.  It  will  be  necessary  to  baseline  Mid-Tier 
systems  and  ELAN  performance  levels  to  evaluate  application  performance. 

The  DTI,  ELAN  Management  team,  and  the  FSAs  will  share  performance 
measurement  responsibility.  Consistent  metrics  and  metric  reporting  across  the 
environment  will  be  essential. 

Mid-Tier  Policy  and  Procedures.  In  the  1996  Mid-Tier  Policies  and 
Procedures  document  DFAS  defined  the  purpose  for  the  document,  the  need  for 
cooperation,  responsibilities,  and  access  rights  as  follows. 

•  Purpose.  In  production  and  development  environments,  the  Mid-Tier 
policy  and  procedures  document  provides  UNIX  Mid-Tiers  and  the  Oracle 
Relational  Data  Base  Management  System  management  and  maintenance 
instructions  executable  by  the  DTI.  The  policy  and  procedures  document 
describes  all  installation,  security,  monitoring,  diagnostic,  recovery,  and 
administrative  procedures  required  to  support  the  Mid-Tier  environment. 

•  Cooperation.  To  ensure  close  cooperation,  die  DTI  will  sponsor 
quarterly  meetings  with  the  developing  FSAs  and  other  organizations. 
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•  Responsibilities.  The  DTI  is  responsible  for  all  aspects  of  the  Mid- 
Tier  platforms.  Also,  the  DTI  is  responsible  for  ensuring  that  all  DFAS  Mid- 
Tier  environments  comply  with  DoD  and  DFAS  security  policies  and 
regulations.  The  DTI  can  delegate  responsibilities  to  FSAs  sites  where  a  Mid- 
Tier  development  platform  is  present.  Personnel  at  those  sites  are  known  as 
local  systems  administrators  and  local  database  administrators.  The  local 
systems  administrators  will  be  responsible  for  the  development  platforms  at 
their  site,  including  compliance  with  all  DTI  developed  policies,  procedures, 
and  standards.  The  local  database  administrators  will  be  responsible  for  the 
Oracle  Relational  Data  Base  Management  System  on  the  development  platforms 
at  their  site,  including  compliance  with  all  DTI  developed  policies,  procedures, 
and  standards.  All  production  and  support  software  upgrades  will  be  installed 
first  on  the  DTI  test  platform  for  validation.  The  Local  Systems  Administrators 
and  each  project  officer  will  be  allowed  to  test  applications  on  the  DTI  test 
platform,  in  accordance  with  reasonable  resource  usage  and  availability.  The 
Local  Database  Administrators  and  the  DTI  are  responsible  for  the  performance 
of  the  database  on  the  Mid-Tier  development. 

•  UNIX  Access.  The  DTI  will  retain  root  access  (unrestricted  access  to 
UNIX  platforms)  to  all  Mid-Tier  systems.  The  DTI  has  the  option  to  approve 
root-like  privileges  for  personnel  co-located  with  the  Mid-Tier  development 
system.  No  more  than  two  co-located  personnel  will  have  root-like  access, 
unless  special  circumstances  warrant  changing  that  number.  The  number  of  , 
local  systems  administrators  will  not  exceed  three.  The  local  systems 
administrators  will  have  the  authority  of  adding  new  users  and  groups  to  their 
local  Mid-Tier  development  systems.  The  DTI  will  have  the  responsibility  of 
adding  new  users  and  groups  to  all  Mid-Tier  production  systems. 

•  Oracle  Access.  The  DTI  retains  oracle  7  (unrestricted  access  to  the 
Oracle  database)  or  database  administrators  access  to  all  Mid-Tier  systems.  The 
DTI  has  the  option  to  approve  oracle  7-like  privileges  for  personnel  co-located 
with  the  Mid-Tier  development  system.  No  more  Sian  two  co-located  personnel 
will  have  oracle  7-like  access,  unless  special  circumstances  warrant  changing 
that  number.  The  number  of  Local  Database  Administrators  will  not  exceed 
three.  The  Local  Database  Administrators  have  the  responsibility  of  enrolling 
new  users  and  developers  into  the  Oracle  database  on  Mid-Tier  developments. 
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Appendix  C.  Inspector  General  Preliminary 

Results  Memorandum 


INSPECTOR  GENERAL 
DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON.  VIRGINIA  22202 

APR  1  7  1998 


MEMORANDUM  FOR  DIRECTORS.  FINANCIAL  SYSTEMS  ACTIVITIES 

SUBJECT:  Preliminary  Results  on  the  Audit  of  Allegations  Related  to  Defense 
Finance  and  Accounting  Service  (DFAS)  Support  of  Automated 
Information  Systems  (Project  No.  8FG-S007) 


Our  review  of  the  allegations  (Enclosure  1)  began  on  January  26.  1998.  We 
visited  the  Financial  Systems  Organization  (FSO)  in  Indianapolis  and  the  Financial 
Systems  Activities  (FSA)  in  Columbus  and  Indianapolis,  respectively.  Based  upon 
these  meetings  we  were  able  to  arrive  at  preliminary  conclusions  about  the  allegations. 
We  found  that  the  positions  of  both  the  FSO  and  FSA  personnel  had  merit;  however, 
the  lack  of  effective  communication  between  the  two  groups  was  the  primary  cause  for 
the  problems.  We  are  providing  the  results  of  these  meetings  (Enclosure  2)  for  your 
review  and  comment  before  the  audit  is  concluded. 

During  our  entrance  conference  FSO  personnel  indicated  the  Columbus  FSA 
had  reported  more  problems  with  the  mid-tier  policy  than  the  other  sites  and  suggested 
that  we  begin  our  audit  there.  We  accepted  that  suggestion  and  also  visited  the 
Indianapolis  FSA.  We  telephonically  briefed  the  preliminary  conclusions  to  FSO 
personnel  who  staled  that  quarterly  reviews,  better  documencarion,  and  partnerships 
should  be  considered  as  possible  solutions. 

It  is  essential  that  the  FSO  and  FSA  personnel  work  together  to  ensure  that  cost 
effective  solutions  are  found  for  the  DoD  automated  information  systems  that  they 
administer.  Please  canvass  your  personnel  and  comment  as  to  whether  the  particular 
concerns  of  your  activity  have  been  addressed  adequately.  Also,  please  provide  your 
responses  by  April  27,  1998.  If  there  are  any  questions,  please  contact  Mr.  Eric 
Lewis,  Acting  Audit  Project  Manger,  at  (703)604-9144  (ELewis@DODlG.OSD.MIL). 

/L* — 

F.  Jay  Lane 
Director 

Finance  and  Accounting  Directorate 

Enclosures 

cc:  Under  Secretary  of  Defense  (Comptroller) 

Director,  Information  and  Technology 
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AiiggafinTw  Related  to  Defense  Finance  and  Accounting  Service 
Support  of  Automated  Information  Systems 

The  following  allegations  were  made  regarding  the  FSO  management  of  DFAS 
automated  information  systems. 

1.  Centralizing  certain  FSA  responsibilities  at  the  FSO  is  not  cost  effective. 

2.  The  FSA  staffing  levels  are  inadequate  and  have  caused  FSA  development  programs 
to  be  delayed. 

3.  FSO  work  has  been  unreliable  and  has  to  be  reworked. 

4.  The  FSO  centralization  policy  has  caused  some  projects  to  fail. 

5.  The  FSO  does  not  adequately  track  project  costs. 


Enclosure  1 
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Preliminary  Results  on  the  Audit  of  Allegations  Related 
to  Defense  Finance  and  Accounting  Service  Support  of 
Autoipated  Information  Systems 

Allegations  were  made  about  the  performance  of  the  FSO  in  the  following  areas: 
Centralized  Control,  Staffing,  FSO  Work,  Project  Success,  and  Project  Costing. 

Centralized  Control;  Personnel  at  the  sites  visited  indicated  that  central  control  is 
necessary  to  assure  that  a  set  of  standards  are  established  and  followed  within  DFAS. 
However,  the  personnel  at  those  sites  indicated  that  the  implementation  of  the  policy 
had  not  been  totally  effective. 

•  Standard  Business  Practices:  FSA  personnel  stated  that  the  adaptation  of  standard 
business  practices  for  software  development,  production,  and  maintenance  are 
desirable.  Further,  limiting  all  powerful  administrator  authority  (root  and  Oracle  7) 
to  selected  FSO  personnel  enhances  security.  Centralized  control  also  allows  all 
DFAS  assets  to  be  shared  across  the  Enterprise  Local  Area  Network  regardless  of 
location. 

•  Implementation  Concerns:  FSA  personnel  believe  that  undo  access  restrictions 
deny  application  developers  the  opportunity  to  properly  develop  and  test  software. 
Therefore,  this  requires  the  FSO  personnel  to  attempt  to  test  and  install  software 
applications  they  may  not  understand.  The  FSA  personnel  believe  that  the  FSO  has 
not  produced  sufficient  written  documentation  to  support  the  level  of  accep 
restrictions  nor  adequately  documented  FSO  and  FSA  personnel  job  descriptions 
and  business  procedures. 

We  agree  that  central  control  is  necessary  to  establish  uniform  policies  and  procedures. 
However,  it  is  also  essential  that  the  level  of  access  and  restrictions  should  match  the 
security  and  business  concerns  on  a  cost  effective  basis.  In  order  to  determine  the  best 
solution  effective  communication  is  required  between  the  FSO  and  the  FSAs. 

Decisions  resulting  from  these  communications  should  be  documented  to  reflect  the 
benefits  and  business  risks  involved.  Further,  the  roles  and  responsibilities  of  the 
effected  personnel  should  be  documented  and  updated  when  changes  occur.  It  should 
be  noted  that  the  FSO  had  directed  that  recent  policy  decisions  be  put  on  the  DFAS 
internal  network. 

Staffing.  Since  the  FSO  controls  access  to  the  mid-tier  assets,  it  is  essential  that  the 
FSO  staff  have  the  necessary  experience  to  accomplish  this  function  on  a  cost  effective 
basis.  However,  both  FSO  and  FSA  personnel  have  stated  that  the  FSO  has 

Enclosure  2 
Page  1  of  3 
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experienced  staffing  problems.  Specifically,  turnover  and  experience  arc  critical 
problems.  For  example,  FSA  personnel  stated  that  they  have  encountered  new  FSO 
personnel  who  have  contradicted  the  policies  of  their  predecessors.  Also.  FSA 
personnel  stated  that  they  have  encountered  some  FSO  personnel  who  did  not  seem 
responsive  to  FSA  concerns.  Personnel  at  both  the  Columbus  and  Indianapolis  FSAs 
stated  that  they  had  to  wait  from  hours  to  weeks  for  some  assistance  from  FSO 
personnel,  which  the  FSA  personnel  believe  they  could  have  accomplished  much 
sooner  (with  increased  access  and  permissions).  Both  FSAs  stated  that  the  process  has 
improved  somewhat,  but  still  needs  work.  FSO  personnel  stated  that  resource 
restrictions  will  continue  to  be  a  problem  because  they  arc  only  authorized  a  limited 
amount  of  positions  and  these  personnel  can  always  earn  more  in  the  private  sector, 
after  gaining  practical  training  and  experience.  Further,  the  FSO  personnel  state  that 
customer  (FSA)  service  must  be  improved  to  ensure  that  DFAS  automated  information 
systems  are  administered  on  a  secure  cost  effective  basis. 

We  agree  that  the  staffing  concerns  will  continue  to  be  a  problem  throughout  DoD  at 
current  funding  levels.  This  wUl  require  the  FSO  and  FSAs  to  pool  people,  training 
and  funding  resources  and  responsibilities  to  ensure  that  automated  information  systems 
are  developed  and  maintained  on  a  cost  effective  basis.  However,  security  and  cost 
concerns  must  be  considered  in  these  decisions. 

FSO  Work.  Personnel  from  the  FSAs  stated  that  the  FSO  personnel  simply  did  not 
know  enough  about  the  work  to  get  it  accomplished  in  an  efficient  manner.  Further, 
some  jobs  can  only  be  done  with  the  developer  of  the  software,  such  as  script 
development  and  the  proper  allocation  of  databases  in  a  reduced  system  identifier 
environment. 

We  believe  that  establishing  proper  communications  mediums  such  as  quarterly 
reviews,  will  provide  FSO  and  FSA  personnel  the  appropriate  opportunity  to  determine 
the  most  cost  effective  means  to  accomplish  their 'assigned  tasks.  Also,  performance 
measures  should  be  csublished  so  that  FSO  and  FSA  can  determine  if  new  business 
policies  and  procedures  are  providing  a  benefit  throughout  DFAS.  FSO  personnel  are 
establishing  performance  measures  and  setting  goals  for  responses  to  customer  (FSAs) 
requests.  Measures  should  also  be  established  and  tracked  for  the  performance  of  the 
FSAs  under  these  new  policies. 

Project  Success.  Columbus  and  Indianapolis  personnel  have  stated  that  projects  have 
been  delayed  but  none  have  failed  because  of  FSA  policies.  Because  of  the  lack  of 
performance  measures  costs  could  not  be  readily  identified  related  to  the  delays. 


Enclosure  2 
Page  2  of  3 
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Project  Costing.  Neither  Columbus  or  Indiana^lis  personnel  cited  any  instances 
where  costs  were  not  tracked  adequately.  However,  FSO  personnel  stated  that  delays 
could  result  in  increased  costs  to  the  customer.  The  establishment  of  performance 
measures  will  allow  FSO  and  FSA  personnel  to  accurately  track  costs  and  make 
appropriate  decisions. 


Enclosure  2 
Page  3  of  3 
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Appendix  D.  Director,  Infrastructure  Services 

Organization  Response  to  Inspector 
General  Preliminary  Results 
Memorandum 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

INFRASTRUCTURE  SERVICES  ORGANIZATION 
8899  EAST  56TH  STREET 
INOIANAPOUS,  IN  46249'280l 


DFAS- ISO/DTI 


May  11,  1998 


MEMORANDtJM  FOR  DEPARTMENT  OF  DEFENSE  INSPECTOR  GENERAL, 
ATTN:  DIRECTOR,  FINANCE  AND  ACCOUNTING 


SUBJECT:  Preliminary  Results  on  the  Audit  of  Allegations  Related 

to  Defense  Finance  and  Accounting  Service  (DFAS) 

Support  of  Automated  Information  Systems 
(Project  No.  8FG-8007) 


We  have  reviewed  the  preliminary  results  of  the  subject 
audit  and  concur  that  all  issues  have  been  adequately  addressed, 
comments  submitted  by  the  Financial  Systems  Activities  (FSAs) 
have  also  been  reviewed.  Most  comments  centered  around  the  need 
to  document  processes  and  procedures.  We  concur  with  the 
for  accurate  and  complete  documentation  and  have  already  taken 
steps  to  strengthen  this  area  with  three  additional  Mid-Tier 
Technical  Guidance  memorandums  being  released  this  month.  We 
will  continue  to  work  with  the  FSAs  to  ensure  all  areas  of 
concern  are  addressed  and  documented.  We  are  also  making  plans 
to  reactivate  our  quarterly  Mid-Tier  working  group  meetings 
within  the  next  90  days.  These  meetings  will  provide  another 
forum  for  improved  communications. 

If  I  may  be  of  further  service,  please  contact  me  at 
(317)  510-5937  or  Mr.  Ed  Broylee  at  (317)  510-5857.  Ed'S  email 
is  ebroyles@cleveland.dfas.mil. 

Paul  E.  Brustad 
Director 


DIRECTOR  FOR  INFORMATION  AND  TECHNOLOGY, 
DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 
HEADQUARTERS 
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Appendix  E.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Public  Affairs) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and  Intelligence) 
Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 
Superintendent,  Naval  Postgraduate  School 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 

Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 
Inspector  General  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
Defense  System  Management  College 

Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 


Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal  Justice, 
Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Defense  Finance  and  Accounting  Service 
Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 


1931  DAVII&  HIWWAV 

ARLINGTON.  VA  22:340-SZBk 

m  ~T  1998 


DTA5-HQ/S 

MEMORANDUM  FOR  DIRECTOR,  FINANCE  AND  ACCOUNTINO 

DIRECTORATE,  OFFICE  OF  THE  INSPECTOR 
GENERAL,  DEPARTMENT  OF  DEFENSE 


SUWECT  DraR  Audit  Repoa  OA  07 AS  Mid-Tier  Sysleuis 

(PJvjcctNo  SPG>3O07) 

This  is  iP  tespoose  to  your  draft  audit  report  dated  September  2X  requesdng 
Defense  FiTuinceand  Ajccountin^  Service  (DFAS)  management  comments  on  the  subject 
audit  report,  DFAS  comments  on  the  recommendations  and  findings  are  provided  below 

RccommendatiQci  1  -  As  reported  in  the  DFAS  Infrastnicture  Services 
OrgwuMtion  (ISO)  FY  S99S  Annual  Statement  of  Assurance,  we  reactivated  iKe 
quarterly  Mid-Tier  working  group  in  September  199S  and  will  hold  the  Erst  joini  meeting 
in  December  199S-  This  action  meets  the  requirement  of  resuming  the  quarterly  reviews 
to  establish  documentation  rules  for  Mid-Tier  lyslcmi  -  ACTION  COMPLETE 

Recommendation  2  -  Ai  indicated  above,  we  have  reactivated  the  quarterly  Mid- 
Tier  working  group  We  will  include  in  our  agenda  for  the  quarterly  review  a  discussion 
of  staffing,  system  access  and  security^  and  policy  arvd  procedures  This  action  meets  the 
requirement  of  Reconunendatioii  2.  -  ACTION  COMPLETE 

Recommendation  3  -  Ac  reported  in  the  DFAS  ISO  FY  199S  Annual  Sucement  of 
Assuiancc^  Out  ovganieation  hw  established  an  Internal  Control  weakness  assessment 
milestone  (the  goal  Of  which  icihe  establishmeni  of  Performance  Measures  lo  deierminc 
if  policies  and  procedursa  arc  providing  a  banerit)Tc  track  the  pcrforniance  of 
implenttnung  mid-tier  poUdes  and  procedures  and  to  accurately  track  project  costs  to 
allow  for  appropriate  deoisiems  to  be  made.  Ourprojecled  mileslonc  completion  dale  has 
been  established  as  Sqncraber  1999  This  action  will  meet  the  requirement  of  developing 
and  impJcrneniing  a  plan  for  Mid-Tier  system  performance  measurement  and  monilonng 
too]  s  to  track  the  efficiency  of  system  projccis . 


My  point  of  contactisMr.  EdCmar*  DFAS  ISO  B)ciernal  Audit  Laisoii.  at 
commercial  (614)  692-5278  or  DSN  850-5278 


/y  C  Vance  Kauziarich 

dclor  for  Information  and  Technology 
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Audit  Team  Members 

The  Finance  and  Accounting  Directorate,  Office  of  the  Assistant  Inspector 
General  for  Auditing,  DoD,  prepared  this  report. 


F.  Jay  Lane 
Salvatore  D.  Guli 
Kimberley  A.  Caprio 
Eric  L.  Lewis 
Suzette  L.  Luecke 
P.  Douglas  Johnston 
Cheryl  D.  Jackson 


